Welcome! Log In Create A New Profile

Advanced

Re: Drupal cron.php access control.

Previous Message Next Message
Forum List Message List New Topic Print View
António P. P. Almeida
August 18, 2010 09:18AM
On 18 Ago 2010 00h49 WEST, mdounin@mdounin.ru wrote:

Hello Maxim,

Thank you for your reply.

> Hello!
>
> On Tue, Aug 17, 2010 at 09:08:53PM +0100, António P. P. Almeida
> wrote:
>
>> Hello,
>>
>> I'm settign an access control for Drupal cron.php that is invoked
>> via a cron job.
>>
>> I tried two approaches and both seem to work
>>
>> 1. Use the Access module and specify the allowed host.
>>
>> location /cron.php {
>> deny all;
>> allow 127.0.0.1;
>> allow 192.168.1.0/24;
>> fastcgi_pass 127.0.0.1:9000;
>> }
>
> This one will always return 403 due to "deny all" directive listed
> first. Order of deny/allow directives is important, first match
> wins.

It was working because I had created a new git branch and forgot to do
the checkout in the cloned repository in /etc/nginx. My mistake :(

I assumed that nginx would work like Apache minus the order deny,allow
directive. My reasoning was that first I denied access and then nginx
would parse the remaining directives to see if there are any allowed
addresses.

I noticed that at http://wiki.nginx.org/NginxHttpAccessModule

In fact the order is *always* allow <some addresses> deny all;

But I'm conditioned by the way Apache access directives work and
assumed it was +/- less the same minus the order directive.

I misunderstood the docs in the wiki. I just edited it trying to make
things more explicit. Lowering the probabilty for this type of mistake
to occur to someone else.

http://wiki.nginx.org/NginxHttpAccessModule#Synopsis

>> 2. Use a conditional.
>>
>> location /cron.php {
>> if ($remote_adrr ~* (192\.168\.1\.(1|2)|127\.0\.0\.1)) {
>> fastcgi_pass 127.0.0.1:9000;
>> }
>> return 404;
>> }
>
> This one will always return 404 (with s/adrr/addr/ typo fix).
> Probably you mean to add "break" inside "if".

Yes it's a typo. I just wrote instead of cutting & pasting.

> But this isn't recommended aproach, see here for details:
>
> http://wiki.nginx.org/IfIsEvil
>

Yes I did that. Thank you. Currently:

# Restrict cron access to a specific host.
location /cron.php {
allow 127.0.0.1;
allow 192.168.1.0/24;
error_page 403 =404;
fastcgi_pass 127.0.0.1:9000;
deny all;
}

Working fine.

> Non-capturing groups work just fine. It's missed "break" which
> causes 404, see above.

Yes I have it in other lcations and it's working fine. It was the
missing break. Anyway I dropped the if and followed your suggestion of
employing access rules.

> Maxim Dounin

--- appa


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Drupal cron.php access control.

António P. P. Almeida August 17, 2010 04:24PM

Re: Drupal cron.php access control.

Maxim Dounin August 17, 2010 07:54PM

Re: Drupal cron.php access control.

António P. P. Almeida August 18, 2010 09:18AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 259
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready